Passing in a non-string 'html' argument can lead to unsanitized output
Moderate severity
GitHub Reviewed
Published
Jun 18, 2021
in
ericnorris/striptags
•
Updated Feb 1, 2023
Description
Reviewed
Jun 18, 2021
Published to the GitHub Advisory Database
Jun 18, 2021
Published by the National Vulnerability Database
Jun 18, 2021
Last updated
Feb 1, 2023
A type-confusion vulnerability can cause
striptags
to concatenate unsanitized strings when an array-like object is passed in as thehtml
parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.Impact
XSS
Patches
3.2.0
Workarounds
Ensure that the
html
parameter is a string before calling the function.References